On September 19, 2012, Senator John D. Rockefeller IV (D-WV), Chairman of the Senate Committee on Commerce, Science, and Transportation, wrote directly to the CEOs of the Fortune 500 companies regarding cybersecurity. He solicited their views “without the filter of beltway lobbyists” and requested that they provide by October 19, 2012, answers to eight questions pertaining to their companies’ cybersecurity practices and their concerns, if any, with certain aspects of the Cybersecurity Act of 2012 that failed to pass the Senate.1 The eight questions are:

  1. Has your company adopted a set of best practices to address its own cybersecurity needs?
  2. If so, how were these cybersecurity practices developed?
  3. Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.
  4. When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
  5. Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
  6. What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
  7. What are your concerns, if any, with the federal government conducting risk assessments in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
  8. What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

The Rockefeller letter reflects the prevailing concern that our nation is not adequately protecting its cyber infrastructure.2 Although private industry has increased spending on cybersecurity in recent years—with one estimate placing the 2011 spending total at $80 billion3—one recent survey of 172 U.S. companies found that they would have to boost their cyber spending almost 900% to achieve a level of security that would stop 95% of cyberattacks.4 Given this spending gap and the increasing reports of foreign state actors—or companies with close ties thereto—engaging in economic espionage5 and cyberattacks,6 it is clear that the cyber threat to American industry is very real. Indeed, Secretary of Defense Leon Panetta recently warned that the United States is facing a possible “cyber-Pearl Harbor.”7

  1. The State of Cybersecurity Legislation and Regulation

Senator Rockefeller’s letter reflects his frustration with Congress’ inability to pass legislation to address that threat, and the questions he poses go to the core issues in the Congressional debate over that failed legislation: whether and to what extent the federal government should be involved (a) in setting minimum cybersecurity standards and (b) in asking companies to submit cyber information to the federal government. To appreciate the concerns underlying Senator Rockefeller’s letter, it is important to understand the evolution of the cybersecurity debate that has played out over the past year.

Proposed Legislation

The debate started with the proposal by Senators Lieberman, Collins, Rockefeller, and Feinstein of the Cybersecurity Act of 2012. This proposed legislation would have addressed both the standard-setting and information-sharing issues.

Cybersecurity Standards: When introduced in February 2012, the original Cybersecurity Act called for the federal government to develop and impose mandatory cybersecurity standards on owners and operators in critical infrastructure industry sectors.8 Citing their projected costs on the private sector, the bill’s opponents pressed the Senate to forgo mandatory standards, and supporters of the Act ultimately agreed to make the cybersecurity standards voluntary.9 Concerns persisted, however, that the “voluntary” standards could become mandatory in practice, and the bill ultimately failed to obtain the 60 votes needed to end debate.

Information Sharing: The original Cybersecurity Act called for industry to share certain types of cyber information with the federal government. The Act classified cybersecurity-related information into four categories: (i) information related to cyber incidents and intrusions; (ii) information related to government-conducted risk assessments; (iii) information related to performance evaluations; and (iv) information related to cyber threats. Depending on the category of cyber information, the Act required mandatory or voluntary information sharing. It required critical infrastructure owners and operators covered by the Act to report cyber intrusions and incidents to the government.10 It required companies subject to cybersecurity performance requirements to provide information that the Department of Homeland Security (“DHS”) could use to conduct risk assessments and evaluate company compliance.11 It did not require the sharing of cyber threat information,12 but rather provided that such information could be provided voluntarily to the government or other private sector actors.13

The revised Cybersecurity Act maintained the same four categories, but only required the reporting of “significant cyber incidents” to the government.14 Information sharing related to the other three categories could be provided on a voluntary basis.15

Potential Executive Order

With the failure of the Cybersecurity Act, the debate has now shifted to the Executive Branch. In recent weeks, Senator Rockefeller and other members of Congress have urged the Obama administration to issue an executive order that could achieve some of the same ends as the Cybersecurity Act.16 Last month, Secretary of Homeland Security Janet Napolitano testified that the Administration is “close to completion” of such an order.17

According to press reports, the draft order closely mirrors the final version of the proposed Cybersecurity Act, with its largely voluntary program for cybersecurity standards and information sharing.18 In terms of standard-setting, a DHS-led cybersecurity council would develop guidance that would be used in the drafting of standards by industry representatives in collaboration with the National Institute of Standards and Technology (“NIST”).19 DHS would then work with the various sector coordinating councils—comprised of owners and operators from each particular sector of critical infrastructure20—to determine which critical infrastructure sectors should be covered and which of the standards each sector would choose to impose on itself.21 Each company in that industry sector would then be left with discretion to decide how it will meet the adopted voluntary standards.

In addition to prescribing this standard-setting process, the draft order will reportedly encourage information sharing and affirmatively “ask industry to voluntarily submit cyber threat information to the government.”22

Concerns with the Potential Executive Order

There is concern that these “voluntary” standards could still become compulsory in several different ways. First, the Executive Branch already has statutory authority to impose mandatory guidelines that it could apply to cybersecurity in certain sectors.23 For example, the Transportation Security Administration has authority to issue mandatory pipeline-security guidelines that could easily be applied to the cyber realm. The Executive Branch could also issue mandatory cybersecurity standards for port communication systems (regulated by the U.S. Coast Guard) and freight and passenger railroad operations (regulated by the Federal Railway Administration).24 Or, the SEC could issue a rule requiring publicly traded companies to disclose information related to their cybersecurity practices.

A number of commentators have also expressed the concern that this voluntary program could quickly become compulsory by the government’s use of “incentives” that would pressure companies to adopt minimum standards. One can think of myriad ways that this could be accomplished. Federal agencies could adopt a procurement preference for companies “certified” under a voluntary program.25 Or, the government could publish a list of those companies that comply with the voluntary standards and those that do not—thereby incentivizing companies to get on the right list and avoid the “name and shame” reputational impact of being on the wrong list.26

Given the Administration’s stated goal of setting cyber standards and information-sharing protocols, and the various levers and pressure points they can use to accomplish that goal, we should expect to see both concepts included in any proposed legislation or regulation that emerges in the near future.

  1. Key Open Questions

Any comprehensive cybersecurity legislation or regulation must tackle a number of key issues, all of which raise challenging questions.

  1. Standard Setting. Although many in Congress and the Administration prefer mandatory standards,27 they appear to have conceded that any cybersecurity program standards created by executive order or legislation will be voluntary.28 Even this compromise, however, will face stiff opposition. For instance, the U.S. Chamber of Commerce, which appeared initially receptive to an incentive-based approach,29 now contends that standards created even under a voluntary program “could be used to impose new obligations on participating companies.”30
  2. Information Sharing. Private industry and various lobbying groups have expressed a variety of concerns over any program that entails the sharing of threat and vulnerability information between the government and the private sector. First, as a general matter, companies worry that information sharing will be a one-way street, with considerably more information flowing to the government than to private industry. Second, companies worry that without sufficient liability protections, they could be subject to litigation for sharing certain protected customer information or for failing to share information about a threat that results in some actionable harm. Third, private companies have cited antitrust concerns about sharing information within their industry. And finally, advocacy groups worry about the privacy implications of this information sharing with the government.31
  3. Liability Protection. Congress, the Administration, and the private sector frequently identify liability protection as a key incentive to encourage companies to adopt cybersecurity standards or engage in sharing information related to cyber threats.32 The Obama administration has indicated, however, that any executive order will include no liability protections, as only Congress, through legislation, has the power to provide such protections.33
  4. Definition of Critical Infrastructure. Under both the revised Cybersecurity Act and, reportedly, the Obama administration’s draft executive order, the DHS-led cybersecurity council would have the authority to identify “critical cyber infrastructure” sectors which would be subject to the standards and informationsharing protocols. Critics are concerned that DHS will apply that term liberally,34 and press reports suggest that the executive order might adopt an even broader view of critical infrastructure than that contemplated by the terms of the Cybersecurity Act.35

Each of these issues will figure prominently in any debate that will surely follow the issuance of an executive order or the introduction of new cybersecurity legislation.

  1. Responding to Senator Rockefeller’s Letter

It is important that companies keep this background and the political context in mind when deciding how to respond to Senator Rockefeller’s letter.36 They should also remember that their responses may be released to the public and that they must therefore strike a careful balance between providing complete and accurate responses and ensuring that they do not release sensitive business or propriety information that could be damaging to them or third parties.